[release/v7.5.6] [StepSecurity] ci: Harden GitHub Actions tokens by daxian-dbw · Pull Request #27224 · PowerShell/PowerShell

daxian-dbw

Backport of #27202 to release/v7.5.6

Triggered by @daxian-dbw on behalf of @step-security-bot

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

Required tooling change
Optional tooling change (include reasoning)

Hardens GitHub Actions token permissions in shared CI workflows on the release branch. This is a required tooling/security posture update for repository automation.

Customer Impact

Customer reported
Found internally

Regression

REQUIRED: Check exactly one box.

This is not a regression.

Testing

Cherry-pick applied cleanly to release/v7.5.6. The change is limited to GitHub workflow permission declarations in three workflow files and validation will rely on backport PR CI for the release branch.

Risk

REQUIRED: Check exactly one box.

High
Medium
Low

Medium risk because it changes CI authentication permissions across shared workflows and could expose missing permissions in automation, but the scope is tightly limited to workflow token configuration already validated on main.